Skip to Content

The Elements Of Cyber Risk Coverage

Articles Theresa Grafenstine, CIA, CGAP, CPA, CISSP Aug 08, 2022

Computer processes are now commingled in almost every business task. It would be difficult to point to an organization that performs payroll by hand, uses green ledger paper to record its financial statements, or sends letters to colleagues in lieu of email. It makes sense, then, that The IIA’s 2022 North American Pulse of Internal Audit benchmarking survey reports that “technology is the common risk driver of the top three highest risk areas — cybersecurity, IT, and third-party relationships, which often include IT services.” 

Within the report, 85% of respondents rate cybersecurity as a high or very high risk, but audit functions overall allocate only 11% of their audit plan time to covering it. In comparison, operations, which only 36% of respondents rank as a high or very high risk, receives 15% of allocated audit time and financial reporting (including internal control over financial reporting), which only 14% of respondents rank as high or very high risk, receives 14% of allocated audit time. This means that almost one-third of the audit plan is spent on areas with significantly less risk than cybersecurity. This is confounding. As organizations become more reliant on technology and online interfaces with customers and third parties, audit coverage should shift to this greater risk exposure. 

Adapting the Audit Function

So why does internal audit continue to spend time auditing areas with lower risk ratings? The IIA survey also sheds some light on this. The CAEs, directors, and senior managers surveyed say their top areas of concern for their audit functions are staff competencies and emerging risk coverage. Specifically, “technology skills of staff” and “internal audit use of technology” were the most frequently cited reasons for their concerns. The reason for a lack of coverage may be that auditing cybersecurity pushes internal audit out of its comfort zone. Learning how to assess cybersecurity and technology is like any other new proficiency. Auditors need to take those initial steps to get started and do what internal audit does best: Do a little homework and ask good questions. The biggest barrier to auditing any new topic, including cybersecurity, is knowing where to start. In the garden of cyber challenges, there is plenty of low-hanging fruit, beginning with phishing and patching.

Phishing and Patching

In nearly every cyber breach, phishing and poor patch-management practices play significant roles. Yet testing these controls does not require an auditor to possess heavy technical skills. At a very basic level, phishing is when a threat actor sends an email that contains malware to a target. Depending on the sophistication of the actor, the phishing email can range from being fairly easy to detect such as the unknown prince who wants to send someone millions of dollars to a specially crafted email that has been spoofed to appear to come from someone known to the target and on a topic of importance to them. Although many technology solutions can help detect potential phishing emails, it all comes down to people. If people do not click links, it becomes very difficult for a phishing attack to be successful. 

The natural question for an auditor to ask management is, “How do we train our employees not to be victims of a phishing attack?” At a minimum, employees should be required to take some type of annual security training. Ideally, organizations should be running internal phishing campaigns to test employee awareness. This is where an organization sends mock-phishing emails to its staff. An employee who clicks a mock-phishing link is usually directed to online remediation training and a note is sent to his or her manager. For repeat offenders, their external email access could be removed. People are the frontline defenders in the phishing war. Organizations need to train them. 

Patching is another big cybersecurity focus area. Software developers issue patches for known software defects or common vulnerabilities and exposures. When individuals download the latest update to their phones or laptops, they are installing patches. The main point about the defects being known is that threat actors also know about these defects. The quicker the organization installs patches, the quicker it can close this threat vector. Auditors should determine if their organization has a patching program that tracks open vulnerabilities and exposures, measures time-to-remediation, and has appropriate signoffs and process rigor for any patches that are not installed.

Identity and Access Management

In essence, identity and access management procedures are the classic auditor controls regarding least privilege and segregation of duties. Least privilege means that people (and systems) should have the very minimal amount of access needed to do their job. This lowers the risk that employees will abuse their access and reduces the damage caused by a threat actor if an account is hijacked. Segregation of duties looks at toxic combinations of rights. For example, can a user both create and approve his or her transaction? Auditors should review the process used to determine whether access rights are appropriate.

Privileged user accounts have elevated rights, meaning they can access and control additional resources and inflict a lot of damage if abused. To prevent this, administrators should be limited to as few as necessary to perform a function, and auditors should ask if management has tied each privileged account to a specific individual. Group accounts, where multiple people access the same account to perform privileged user functions, blur accountability because it is impossible to determine who did what. 

Management should have policies and controls to ensure that privileged accounts are only used to perform privileged functions. For all other tasks, employees should log on using their regular user credentials. Policies and controls also should prevent the ability to “nest” administrator accounts, which is when a privileged user appears to be one person or entity but is really an entire group or organization. For instance, to simplify things for its team, an outside vendor may create an account that provides the entire company or team privileged access. This should not be allowed and should be specifically prohibited in contracts.

Inventory Management

Poor inventory management is the root cause for so many technology ills. If an organization does not know what technology assets it has, how can it protect them? With no clear idea how many servers or operating systems are running, for example, it is impossible for a business to have any assurance that these are appropriately patched.

Theresa Grafenstine, CIA, CGAP, CPA, CISSP

Terry Grafenstine is executive vice president, CAE, at PenFed Credit Union in McLean, Va.